b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n       ADMINISTRATIVE COSTS\n          CLAIMED BY THE\n        ALABAMA DISABILITY\n      DETERMINATION SERVICE\n\n   February 2008   A-08-07-17151\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                             SOCIAL SECURITY\nMEMORANDUM\n\nDate:      February 29, 2008                                                              Refer To:\n\nTo:        Paul D. Barnes\n           Regional Commissioner\n            Atlanta\n\nFrom:      Inspector General\n\nSubject:   Administrative Costs Claimed by the Alabama Disability Determination Service\n           (A-08-07-17151)\n\n\n           OBJECTIVES\n\n           Our objectives were to\n\n           \xe2\x80\xa2     evaluate the Alabama Department of Education\xe2\x80\x99s (AL-DE) and Alabama Disability\n                 Determination Service\xe2\x80\x99s (AL-DDS) internal controls over the accounting and\n                 reporting of administrative costs,\n\n           \xe2\x80\xa2     determine whether costs AL-DDS claimed for Fiscal Years (FY) 2005 and\n                 2006 were allowable and funds were properly drawn, and\n\n           \xe2\x80\xa2     assess limited areas of AL-DDS\xe2\x80\x99 general security controls environment.\n\n           BACKGROUND\n           Disability determinations under the Social Security Administration\xe2\x80\x99s (SSA) Disability\n           Insurance and Supplemental Security Income programs are performed by disability\n           determination services (DDS) in each State or other responsible jurisdiction, according\n           to Federal regulations. 1 In carrying out its obligation, each DDS is responsible for\n           determining claimants\xe2\x80\x99 disabilities and ensuring adequate evidence is available to\n           support its determinations. To make proper disability determinations, each DDS is\n           authorized to purchase consultative medical examinations and medical evidence of\n           record from the claimants\xe2\x80\x99 physicians or other treating sources. SSA reimburses the\n           DDS for 100 percent of allowable expenditures. DDSs report program disbursements\n           and unliquidated obligations each quarter on Form SSA-4513, State Agency Report of\n           Obligations for SSA Disability Programs.\n\n\n           1\n               20 Code of Federal Regulations \xc2\xa7\xc2\xa7 404.1601 et. seq. and 416.1001 et seq.\n\x0cPage 2 \xe2\x80\x93 Paul D. Barnes\n\n\nAL-DDS, a division of AL-DE, is located in Birmingham, Alabama, and has a branch\noffice in Mobile, Alabama. AL-DE maintains AL-DDS\xe2\x80\x99 official accounting records and\nprepares its Forms SSA-4513. For additional background, scope and methodology,\nsee Appendix B.\n\nRESULTS OF REVIEW\nAL-DE\xe2\x80\x99s and AL-DDS\xe2\x80\x99 internal controls over the accounting and reporting of\nadministrative costs for FYs 2005 and 2006 were generally effective to ensure costs\nclaimed were allowable and funds were properly drawn. However, AL-DDS did not\nalways properly manage its general security controls. As such, AL-DDS\xe2\x80\x99 security\npractices and controls did not adequately protect office facilities and claimant data.\n\nFor the Birmingham AL-DDS office, we determined\n\n\xe2\x80\xa2     perimeter access controls were not appropriately used and\n\n\xe2\x80\xa2     recycling and cleaning practices placed claimants\xe2\x80\x99 personally identifiable information\n      (PII) at risk.\n\nFor the Mobile AL-DDS office, we determined equipment rooms were not locked.\nFinally, AL-DDS did not adequately document employees\xe2\x80\x99 annual security awareness\ntraining or establish a Security Plan that complied with SSA\xe2\x80\x99s requirements.\n\nPERIMETER ACCESS CONTROLS NEEDED IMPROVEMENT\n\nIntrusion Detection System Sensors Not Reactivated Timely and Perimeter Door\nNot Always Locked\n\nSSA\xe2\x80\x99s policy requires that DDSs adequately safeguard claimant/program information\nand facilities used by their personnel. 2 However, AL-DDS\xe2\x80\x99 security practices did not\nmaintain the integrity of its perimeter controls in the Birmingham office.\n\nAL-DDS installed an intrusion detection system (IDS) to enhance building security and\nsupplement its 24-hour guard service but kept IDS sensors deactivated on three doors\nfor approximately 5 hours beyond normal business hours. AL-DDS deactivated IDS\nsensors each weekday morning to facilitate deliveries and provide employees access to\na designated smoking area. While AL-DDS used surveillance cameras to monitor all\nthree doors and kept two of the three doors locked, it did not reactivate IDS sensors\nuntil approximately 10:00 p.m. each weeknight. AL-DDS told us it delayed reactivating\nIDS sensors to accommodate its cleaning service. We believe AL-DDS should\nreactivate IDS sensors at the end of the business day.\n\n\n\n2\n    SSA Program Operations Manual System (POMS), section DI 39566.010.A and B.\n\x0cPage 3 \xe2\x80\x93 Paul D. Barnes\n\n\nAdditionally, AL-DDS allowed one of the three doors to remain unlocked until 5:00 p.m.\neach weekday to provide employees access to a smoking area. While AL-DDS has\nlatticework around the smoking area, we do not believe this is an adequate safety\nmeasure. AL-DDS should keep the unsecured door locked to prevent unauthorized\naccess to its facilities.\n\nAccordingly, AL-DDS did not consistently maintain the integrity of its building access\ncontrols, which increased the building\xe2\x80\x99s vulnerability to intrusion. We recommend SSA\naddress these perimeter security issues with AL-DDS and instruct it to reactivate IDS\nsensors timely and keep the perimeter door locked.\n\nIntrusion Detection System Not Adequately Protected\n\nSSA policy instructs DDS management to ensure ongoing security of data, personnel\n                                        3\nand property by protecting its systems. However, AL-DDS did not adequately protect\naccess to its IDS. Although the DDS\xe2\x80\x99 guard station contained the IDS keypad, backup\npower supply and camera system, the DDS did not have a lock on the guard station\ndoor. While the guard is generally in the guard station, there are instances when the\nguard may be away from his post for a short period. Therefore, we believe an\nunattended and unlocked guard station could provide third parties access to the IDS\nand security equipment.\n\nFurthermore, we found the IDS code displayed on the guard station wall. When we\nbrought this to the Security Officer\xe2\x80\x99s attention, he removed the code from the wall. We\nbelieve its open display could have compromised the IDS code. As such, we believe\nAL-DDS should change its IDS code. Also, AL-DDS should install a lock on the guard\nstation door and keep the guard station locked when it is unattended.\n\nIntrusion Detection System Not Tested Semiannually\n\nContrary to SSA policy, AL-DDS had not tested its IDS semiannually to ensure all\nsensors were working properly. 4 We believe AL-DDS risked the IDS\xe2\x80\x99 effectiveness by\nnot testing it as required. We discussed this finding with AL-DDS management and\nlearned they were amending their agreement with the monitoring company. The\nrenegotiated agreement will include semiannual testing of the system. While AL-DDS\xe2\x80\x99\nactions adequately address our concern, we recommend it ensure the IDS is tested\nsemiannually.\n\n\n\n\n3\n    POMS, section DI 39566.010.A.\n4\n    POMS, section DI 39566.010.B.2.h.\n\x0cPage 4 \xe2\x80\x93 Paul D. Barnes\n\n\nPERSONALLY IDENTIFIABLE INFORMATION AT-RISK\n\nRecycling Bins Not Adequately Secured\n\nSSA policy requires that DDSs dispose of claimant PII so it is unattainable to\n                         5\nunauthorized personnel. However, on two occasions during our field work, AL-DDS\xe2\x80\x99\nBirmingham office left a recycling bin containing PII outside on a loading dock. In fact,\nwe determined the bin remained outside for multiple days.\n\nAL-DDS management told us it allowed employees to place recycling bins outside\nbefore the shredding contractor\xe2\x80\x99s scheduled pick-up time. As a result, AL-DDS\ninadvertently made claimant PII accessible to unauthorized personnel. We discussed\nour finding with AL-DDS management, who told us they were addressing this issue and\nwould no longer place recycling bins containing PII outside before the recycling\ncontractor\xe2\x80\x99s arrival. The manager also stated they have instructed employees to check\nbins after the contractor completed its shredding to ensure no outside bins contain PII.\nAlthough AL-DDS\xe2\x80\x99 actions adequately address our concerns, we recommend they\nmonitor the recycling process.\n\nClaimant Records Not Adequately Secured\n\nSSA policy states DDSs should secure claimant records and folders to avoid\nunauthorized disclosures when sensitive areas are cleaned outside of normal business\nhours. 6 However, AL-DDS\xe2\x80\x99 contracted service cleaned the Birmingham office, including\nits sensitive areas, during non-business hours; and one such area, the Data Entry unit,\ncontained over 200 unsecured claimant folders.\n\nIn 2002, we identified and reported to SSA and AL-DDS that the DDS allowed third\nparties, such as cleaning staff, access to sensitive areas where claimant data were\nunsecured. 7 When we discussed our prior finding with AL-DDS management, they told\nus they were more concerned with the flow of operations than with the risk of claimants\xe2\x80\x99\nfolders being compromised. Although AL-DDS told us they did not believe available\nspace would accommodate storage requirements, they agreed its contracted service\ncould clean departments with a high-volume of sensitive material, such as the Data\nEntry unit, during business hours. However, AL-DDS has continued to allow cleaning\nstaff access to unsecured sensitive claimant data. We recommend that SSA require\nthat AL-DDS either clean sensitive areas during business hours or implement a\nclean-desk policy to ensure claimant data are properly secured.\n\n\n\n\n5\n    POMS, section DI 39566.110.D.\n6\n    POMS, section DI 39566.010.B.6.e.\n7\n General Controls of the Alabama Disability Determination Services Claims Processing System Need\nImprovement (A-14-02-22089), issued September 2002.\n\x0cPage 5 \xe2\x80\x93 Paul D. Barnes\n\n\nEQUIPMENT ROOMS NOT LOCKED\n\nSSA policy requires that DDSs keep utility boxes and closets locked to prevent\n           8\ntampering. However, during our site visit to the Mobile, Alabama, office, we found the\nmechanical and telephone rooms were unsecured, and the telephone room did not\nhave a lock. After discussing our findings with AL-DDS management, they immediately\nlocked the mechanical room door and installed a lock on the telephone room door. We\nbelieve AL-DDS adequately addressed our concern. However, AL-DDS should remind\nits personnel about securing the equipment rooms to avoid any unnecessary risk. We\nrecommend AL-DDS monitor the equipment rooms to ensure they remain locked.\n\nANNUAL SECURITY AWARENESS TRAINING NOT ADEQUATELY DOCUMENTED\n\nSSA policy requires that DDSs conduct annual security awareness training and obtain a\nsigned statement of understanding from its employees. 9 Although AL-DDS conducted\nthe required training, it required that employees sign a Form SSA-120, Application for\nAccess to SSA Systems\xe2\x80\x94a form that was designed for other purposes. We discussed\nthis finding with AL-DDS management, who stated they will obtain employees\xe2\x80\x99 signed\nstatements of understanding in accordance with SSA policy. We believe AL-DDS is\nadequately addressing our concern.\n\nSECURITY PLAN NOT ADEQUATE\n\nSSA policy requires that DDSs establish and maintain a written Security Plan for each\n             10\nof its sites. However, AL-DDS\xe2\x80\x99 Security Plan only contained three of eight required\nparts, and these parts did not contain all of the required elements. For example, Part A,\nPhysical Security DDS Description/Profile, did not contain 11\n\n\xe2\x80\xa2     the size of office,\n\xe2\x80\xa2     the situation of office (shared tenancy),\n\xe2\x80\xa2     a description of existing security in place during non-business hours,\n\xe2\x80\xa2     a description of computer system and communications equipment,\n\xe2\x80\xa2     a description of workload, and\n\xe2\x80\xa2     a DDS organizational chart and list of number and types of DDS personnel.\n8\n    POMS, section DI 39566.010.B.1.k.\n9\n    POMS, section DI 39566.120.C.3.\n10\n  POMS, sections DI 39566.010.B.8, DI 39566.120.B, and DI 39566.120.C. The Security Plan contains\neight parts: Physical Security DDS Description/Profile; DDS Systems Interconnection Access Security\nPlan; Systems Security Awareness and Training Plan; Tri-Annual Systems Review/Recertification Plan;\nViolation Reports and Resolution Plan; Continuity of Operations Plan; Disaster Recovery Plan; and Risk\nAssessment/Exceptions.\n11\n     POMS, section DI 39566.120.C.1.\n\x0cPage 6 \xe2\x80\x93 Paul D. Barnes\n\n\nAlso, Part F, Continuity of Operations Plan, did not contain a description of procedures\nand persons to contact at the Regional Office or the DDS\xe2\x80\x99 workload. 12 Furthermore,\nPart G, Disaster Recovery Plan, did not contain a description of local resources\nAL-DDS would need if a disaster occurred. 13\n\nAL-DDS management told us their Security Plan omissions were an oversight. AL-DDS\nfurther stated it would revise its Security Plan and include the missing items. We\nbelieve an incomplete Security Plan could negatively impact the DDS\xe2\x80\x99 ability to resume\noperations in the event of a disaster or disruption of its workflow. AL-DDS should\nensure its Security Plan meets SSA\xe2\x80\x99s requirements.\n\nCONCLUSION AND RECOMMENDATIONS\nAL-DE\xe2\x80\x99s and AL-DDS\xe2\x80\x99 internal controls over the accounting and reporting of\nadministrative costs for FYs 2005 and 2006 were generally effective to ensure costs\nclaimed were allowable and funds were properly drawn. However, AL-DDS\xe2\x80\x99 general\nsecurity controls and practices did not always adequately protect office facilities and\nclaimant data, and AL-DDS did not have an adequate Security Plan.\n\nAccordingly, we recommend that SSA instruct AL-DDS to:\n\n1. Reactivate the IDS\xe2\x80\x99 sensors at the end of the business day.\n2. Keep the perimeter door locked.\n3. Change the IDS code.\n4. Install a lock on the guard station door.\n5. Keep the guard station locked when it is unattended.\n6. Ensure the IDS is tested semiannually.\n7. Monitor the recycling process to ensure claimant PII is inaccessible to unauthorized\n   personnel.\n8. Require that its contracted service clean sensitive areas during business hours. If\n   AL-DDS continues cleaning sensitive areas during non-business hours, it should\n   ensure that claimant information is properly secured from unauthorized personnel.\n9. Monitor equipment rooms at the Mobile, Alabama, office to ensure they remain\n   locked.\n10. Obtain signed statements of understanding from employees regarding annual\n    security awareness training.\n11. Revise its Security Plan to meet SSA\xe2\x80\x99s requirements.\n\n\n12\n     POMS, section DI 39566.120.C.6.\n13\n     POMS, section DI 39566.120.C.7.\n\x0cPage 7 \xe2\x80\x93 Paul D. Barnes\n\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with all of our recommendations, except for Recommendation 2. For\nRecommendation 2, the Agency agreed with the intent of the recommendation and\ninstructed the DDS to conduct a risk assessment to determine appropriate corrective\naction. We believe the Agency\xe2\x80\x99s response and planned actions adequately address our\nconcerns. The full text of SSA\xe2\x80\x99s and AL-DDS\xe2\x80\x99 comments are included in\nAppendices D and E.\n\nOTHER MATTER\n\nIn September 2005, we issued a report on Disability Determination Services\xe2\x80\x99 Use of\nSocial Security Numbers on Third-Party Correspondence. In this report, we\nrecommended that SSA:\n\n      Clarify existing policy to define what third parties may be provided a\n      claimant\xe2\x80\x99s Social Security Number (SSN) as a part of the DDS\xe2\x80\x99s\n      disability determination process. To ensure SSN integrity, we believe\n      the SSN should only be disclosed when it is critical to a third party\xe2\x80\x99s\n      ability to adequately respond to the DDS\xe2\x80\x99s information request.\n\nSSA agreed with this recommendation and stated:\n\n      A claimant\xe2\x80\x99s SSN should only be disclosed when it is critical to a third\n      party\xe2\x80\x99s ability to adequately respond to a DDS\xe2\x80\x99s information request.\n      We will review and, to the extent necessary, clarify our existing policy to\n      more clearly define which third parties should be provided a claimant\xe2\x80\x99s\n      full or partial SSN as part of the DDS evidence collection process.\n\nWe asked AL-DDS if it disclosed claimants\xe2\x80\x99 SSNs on documents sent to third parties.\nAL-DDS confirmed that it includes claimants\xe2\x80\x99 SSNs on requests for medical evidence of\nrecord, consultative examinations and applicant travel documents and has been doing\nso for many years. We believe AL-DDS should take steps to exclude the SSN from\ndocuments it sends to third parties.\n\n\n\n\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background, Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Schedule of Total Costs Reported on Forms SSA-4513\xe2\x80\x94State Agency\n             Reports of Obligations for Social Security Administration Disability\n             Programs\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 Alabama Disability Determination Service Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nAct        Social Security Act\nAL-DDS     Alabama Disability Determination Service\nAL-DE      Alabama Department of Education\nC.F.R.     Code of Federal Regulations\nDDS        Disability Determination Services\nDI         Disability Insurance\nFY         Fiscal Year\nIDS        Intrusion Detection System\nPII        Personally Identifiable Information\nPOMS       Program Operations Manual System\nSSA        Social Security Administration\nSSI        Supplemental Security Income\nSSN        Social Security Number\nTreasury   Department of the Treasury\n\n\n\nForm\n\nSSA-4513   State Agency Report of Obligations for SSA Disability\n           Programs\n\x0c                                                                                   Appendix B\n\nBackground, Scope and Methodology\nBACKGROUND\nThe Disability Insurance (DI) program, established under Title II of the Social Security\nAct (Act), provides benefits to wage earners and their families in the event the wage\nearner becomes disabled. The Supplemental Security Income (SSI) program,\nestablished under Title XVI of the Act, provides benefits to financially needy individuals\nwho are aged, blind, or disabled.\n\nThe Social Security Administration (SSA) is responsible for implementing policies for\nthe development of disability claims under the DI and SSI programs. Disability\ndeterminations under both the DI and SSI programs are performed by disability\ndetermination services (DDS) in each State, Puerto Rico and the District of Columbia in\naccordance with Federal regulations. 1 In carrying out its obligation, each DDS is\nresponsible for determining claimants\xe2\x80\x99 disabilities and ensuring adequate evidence is\navailable to support its determinations. To assist in making proper disability\ndeterminations, each DDS is authorized to purchase medical examinations, x-rays, and\nlaboratory tests on a consultative basis to supplement evidence obtained from\nclaimants\xe2\x80\x99 physicians or other treating sources.\n\nSSA reimburses the DDS for 100 percent of allowable expenditures up to its approved\nfunding authorization. The DDS withdraws Federal funds through the Department of\nthe Treasury\xe2\x80\x99s (Treasury) Automated Standard Application for Payments System to pay\n                                                                                   2\nfor program expenditures. Funds drawn down must comply with Federal regulations\nand intergovernmental agreements entered into by Treasury and States under the Cash\n                                         3\nManagement Improvement Act of 1990. An advance or reimbursement for costs under\nthe program must comply with the Office of Management and Budget\xe2\x80\x99s Circular A-87,\nCost Principles for State, Local and Indian Tribal Governments. At the end of each\nquarter of the Fiscal Year (FY), each DDS submits a State Agency Report of\nObligations for SSA Disability Programs (Form SSA-4513) to account for program\ndisbursements and unliquidated obligations.\n\n\n\n\n1\n    20 Code of Federal Regulations (C.F.R.) \xc2\xa7\xc2\xa7 404.1601 et. seq. and 416.1001 et seq.\n2\n    31 C.F.R. Part 205.\n3\n    Public Law 101-453, 104 Stat. 1058, in part amending 31 United States Code \xc2\xa7\xc2\xa7 3335, 6501, and 6503.\n\n\n                                                    B-1\n\x0cSCOPE\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal laws, regulations and pertinent parts of SSA\xe2\x80\x99s\n    Program Operations Manual System (POMS) DI 39500, DDS Fiscal and\n    Administrative Management, and other instructions pertaining to administrative costs\n    Alabama Disability Determination Service (AL-DDS) incurred and requests for\n    Federal funds covered by the Cash Management Improvement Act agreement.\n\n\xe2\x80\xa2   Interviewed Alabama Department of Education\xe2\x80\x99s (AL-DE) and AL-DDS\xe2\x80\x99 staff and\n    corresponded with SSA Regional Office personnel.\n\n\xe2\x80\xa2   Reconciled the electronic disbursement files AL-DE provided us to the\n    administrative costs it reported on Forms SSA-4513 for FYs 2005 and 2006 through\n    the quarter ended September 30, 2006.\n\n\xe2\x80\xa2   Evaluated and tested internal controls over accounting, financial reporting and cash\n    management activities.\n\n\xe2\x80\xa2   Examined documentation for statistically selected direct cost transactions\n    (personnel, medical services, and all other non-personnel costs) AL-DE reported for\n    the audit period to determine whether the costs were allowable under Office of\n    Management and Budget Circular A-87, Cost Principles for State, Local and Indian\n    Tribal Governments, and if appropriate, as defined by POMS.\n\n\xe2\x80\xa2   Examined the Indirect Cost Rate Agreements in effect during the audit period and\n    evaluated the propriety of AL-DE\xe2\x80\x99s calculation of reported indirect costs.\n\n\xe2\x80\xa2   Compared the amount of SSA funds AL-DE drew down to support program\n    operations with the disbursements it reported on Forms SSA-4513.\n\n\xe2\x80\xa2   Reviewed the State of Alabama Single Audit reports for FYs 2005 and 2006.\n\n\xe2\x80\xa2   Conducted a physical inventory of selected (1) equipment items contained on\n    AL-DDS\xe2\x80\x99 inventory listings and (2) computer hardware items SSA provided to\n    AL-DDS.\n\n\xe2\x80\xa2   Conducted limited general control testing\xe2\x80\x94which encompassed reviewing the\n    physical access security within AL-DDS.\n\nThe electronic data used in our audit were sufficiently reliable to achieve our audit\nobjectives. We assessed the reliability of the electronic data by reconciling them with\nthe costs claimed on the Forms SSA-4513. We also conducted detailed audit testing\non selected data elements in the electronic data files.\n\n\n\n                                           B-2\n\x0cWe performed our audit at AL-DE in Montgomery, Alabama; AL-DDS in Birmingham\nand Mobile, Alabama; and the Office of Audit in Birmingham, Alabama, from March\nthrough October 2007. We conducted this financial audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\nSAMPLING METHODOLOGY\nOur sampling methodology encompassed the three areas of direct costs reported on\nForms SSA-4513: (1) personnel, (2) medical, and (3) all other non-personnel costs.\nWe obtained computerized data from AL-DE for FYs 2005 and 2006 for use in\nstatistical sampling.\n\nPersonnel Costs\n\nWe reviewed a random sample of 50 personnel transactions from 1 randomly selected\npay period in FY 2006. Because management is on a different pay schedule from other\nDDS employees, we also reviewed the Administrator\xe2\x80\x99s personnel transactions for the\npay period following the one selected for other personnel. In addition, we reviewed all\n45 medical consultants\xe2\x80\x99 transactions from 1 randomly selected pay period in FY 2006.\nWe tested payroll records to ensure AL-DE correctly paid these employees and\nadequately supported the payments.\n\nMedical Costs\n\nWe reviewed 100 medical costs items (50 items from each FY) using a stratified\nrandom sample. We distributed the sample items between medical evidence of records\nand consultative examinations based on the proportional distribution of the total medical\ncosts for each year. We determined whether sampled costs were properly reimbursed.\n\nAll Other Non-Personnel Costs\n\nWe stratified all other non-personnel costs for each year into 10 categories:\n(1) Occupancy, (2) Contracted Costs, (3) Electronic Data Processing Maintenance,\n(4) Equipment Purchases, (5) Equipment Rental, (6) Communications, (7) Applicant\nTravel, (8) DDS Travel, (9) Supplies, and (10) Miscellaneous. For each year under\nreview, we randomly selected 1 month\xe2\x80\x99s Occupancy costs and reviewed all transactions\nfor each month. Next, we randomly selected 50 transactions to review for each year\nfrom the 9 remaining cost categories (100 sample items total). The number of sample\nitems selected from each of the nine cost categories for each year was based on the\nproportional distribution of the costs included in each cost category for that year.\n\n\n\n\n                                          B-3\n\x0c                                                         Appendix C\n\nSchedule of Total Costs Reported on\nForms SSA-4513\xe2\x80\x94State Agency Reports of\nObligations for Social Security Administration\nDisability Programs\n\n             Alabama Disability Determination Service\n\n              FISCAL YEARS (FY) 2005 and 2006 COMBINED\n                                    UNLIQUIDATED            TOTAL\nREPORTING ITEMS   DISBURSEMENTS      OBLIGATIONS         OBLIGATIONS\nPersonnel           $40,642,058     $1,629,819           $42,271,877\nMedical              20,819,723      2,007,402            22,827,125\nIndirect              4,588,574        298,144             4,886,718\nAll Other             7,031,353        300,124             7,331,477\nTOTAL               $73,081,708     $4,235,489           $77,317,197\n\n                              FY 2005\n                                    UNLIQUIDATED             TOTAL\nREPORTING ITEMS   DISBURSEMENTS     OBLIGATIONS          OBLIGATIONS\nPersonnel           $20,824,017            0             $20,824,017\nMedical              11,868,623            0              11,868,623\nIndirect              2,665,694            0               2,665,694\nAll Other             3,908,547            0               3,908,547\nTOTAL               $39,266,881            0             $39,266,881\n                              FY 2006\n                                    UNLIQUIDATED             TOTAL\nREPORTING ITEMS   DISBURSEMENTS      OBLIGATIONS         OBLIGATIONS\nPersonnel           $19,818,041     $1,629,819           $21,447,860\nMedical               8,951,100      2,007,402            10,958,502\nIndirect              1,922,880        298,144             2,221,024\nAll Other             3,122,806        300,124             3,422,930\nTOTAL               $33,814,827     $4,235,489           $38,050,316\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                  SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      February 21, 2008\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr\n           Inspector General\n\nFrom:      Regional Commissioner\n           Atlanta\n\nSubject:   REPLY-Administrative Costs Claimed by the Alabama Disability Determination\n           Service (A-08-07-17151)\n\n\nThank you for the opportunity to comment on the OIG draft report as outlined in the subject.\nOur comments are attached along with the response received from the Alabama Disability\nDetermination Service.\n\nWe agree with your findings and present our views in the area that impacts the DDS as it relates\nto Personal Identifiable Information (PII) in the electronic environment.\n\nIf you wish to discuss our response, please call me or have your staff contact Joann Strange,\nDisability Program Administrator, at 404-562-1399.\n\n\n                                                           /s/\n                                                     Paul D. Barnes\n\nAttachment\n\nCc:\nRuby Burrell, Associate Commissioner for Office of Disability Determinations\nJeffrey Hild, Associate Commissioner for Office of Financial Policy and Operations\nAmy Roberts, Atlanta Region Assistant Regional Commissioner for Management and Operations\n    Support\nCandice Skurnik, Director, Audit Management and Liaison Staff\nTommy Warren, Director, Alabama Disability Determination Service\n\n\n\n                                               D-1\n\x0c                        OIG Audit (A-08-07-17151)\n             Administrative Costs & General Security Controls\n             Social Security Administration Written Comments\n\nThank you for the opportunity to comment on the formal draft report of the\nAlabama Disability Service (DDS) Administrative Costs and General Security\nControls for Fiscal Years 2005 and 2006.\n\nSSA acknowledges that there were no adverse findings or corrective actions\nnecessary regarding fiscal controls. Our comments below address the areas\nregarding general security controls where corrective action was recommended.\n\n\nFinding \xe2\x80\x93 The intrusion detection system (IDS) sensors were not reactivated\ntimely and the perimeter door was not always locked.\n\nRecommendation 1 - Reactivate the IDS sensors at the end of the business\nday.\n\nWe agree and the AL DDS has implemented corrective action as recommended.\n\nRecommendation 2 \xe2\x80\x93 Keep the perimeter door locked.\n\nWe agree with the intent of the recommendation. However, given that the\nperimeter door referenced leads to the employee smoking area which is\nfrequented by employees throughout the day, we have instructed the DDS to\nconduct a risk assessment to determine appropriate corrective action.\n\nFinding \xe2\x80\x93 The Intrusion detection system was not adequately protected.\n\nRecommendation 3 - Change the IDS code.\n\nWe agree. The IDS code was changed on February 7, 2008.\n\nRecommendation 4 \xe2\x80\x93 Install a lock on the guard station.\n\nWe agree. The guard station lock was installed on January 24, 2008 as\nrecommended.\n\nRecommendation 5 \xe2\x80\x93 Keep the guard station locked when unattended.\n\nWe agree. With the implementation of recommendation 4, the AL DDS will\nensure that the guard station is locked when unattended.\n\n\n\n\n                                      D-2\n\x0c                         OIG Audit (A-08-07-17151)\n              Administrative Costs & General Security Controls\n              Social Security Administration Written Comments\n\nFinding \xe2\x80\x93 The intrusion detection system was not tested annually.\n\nRecommendation 6\xe2\x80\x93 Ensure that the IDS is tested semiannually.\n\nWe agree. The AL DDS FY 2008 IDS vendor\xe2\x80\x99s maintenance agreement was\nrevised to provide for semi-annual testing. First IDS testing was done on\nDecember 7, 2007 and documented.\n\nFinding \xe2\x80\x93 Recycling bins were not adequately secured.\n\nRecommendation 7 \xe2\x80\x93 Monitor the recycling process to ensure claimant PII is\ninaccessible to unauthorized personnel.\n\nWe agree. The DDS changed its recycling contractor and implemented\nmonitoring procedures to ensure that PII will not be placed outdoors until the\nrecycling contractor arrives.\n\nFinding \xe2\x80\x93 Claimant records are not adequately secured.\n\nRecommendation 8 \xe2\x80\x93 Require that its contracted service clean sensitive areas\nduring business hours. If AL-DDS continues cleaning sensitive areas during non-\nbusiness hours, it should ensure that claimant information is properly secured\nfrom unauthorized personnel.\n\nWe agree. The AL DDS instructed its contract cleaning service to clean sensitive\nareas during normal business hours.\n\nFinding \xe2\x80\x93 Mobile equipment rooms were not locked.\n\nRecommendation 9\xe2\x80\x93 Monitor equipment rooms in the Mobile, Alabama office to\nensure they remain locked.\n\nWe agree. Appropriate personnel will ensure that these rooms are always\nsecured and locked to prevent any unnecessary risks.\n\nFinding \xe2\x80\x93 Annual security awareness training was not adequately documented.\n\nRecommendation 10 \xe2\x80\x93 Obtain signed statements of understanding from\nemployees regarding annual security awareness training.\n\nWe agree. The DDS designed a form that now requires an employee signature\nwhen the annual security awareness training takes place.\n\n\n\n\n                                       D-3\n\x0c                        OIG Audit (A-08-07-17151)\n             Administrative Costs & General Security Controls\n             Social Security Administration Written Comments\n\nFinding \xe2\x80\x93 The DDS Security Plan was not adequate.\n\nRecommendation 11 \xe2\x80\x93 Revise the Security Plan to meet SSA\xe2\x80\x99s requirements.\n\nWe agree. SSA is working with the DDS to ensure that all eight parts of the\nSecurity Plan are complete and up to date in accordance with the POMS. The\nDDS has targeted all of their Security Plan revisions for February 29, 2008.\n\nOTHER MATTER\n\nFinding \xe2\x80\x93 We asked AL-DDS if it disclosed claimant\xe2\x80\x99s SSNs on documents sent\nto third parties. AL-DDS confirmed that it includes claimant\xe2\x80\x99s SSNs on requests\nfor medical evidence of record (MER), consultative examinations (CE) and\napplicant travel documents and has been doing so for many years.\n\nRecommendation \xe2\x80\x93 The AL-DDS should take steps to exclude the SSN from\ndocuments that it sends to third parties.\n\nSSA agrees that there is no need for DDSs to provide the claimant\xe2\x80\x99s SSN to third\nparties (e.g., employers, neighbors, relatives, day care providers, etc.) who are\nnot MER, CE, or school sources. The AL-DDS also is in full agreement and does\nnot include SSNs to these third parties.\n\n\nHowever, the AL-DDS needs to provide a claimant\xe2\x80\x99s full SSN to MER, CE, and\nschool providers to enable them to transmit evidence using Electronic Records of\nEvidence (ERE) Services. Also, legacy system programming, scanning\nprocedures, and utilization of staff resources in the DDS would be adversely\naffected in obtaining the specific identified information if SSNs were not used.\nThe applicant travel form is only provided to the claimant.\n\n\n\nIf your staff has any questions, please have them contact Joann Strange at\n(404)-562-1399.\n\n\n\n\n                                       D-4\n\x0c                                    Appendix E\n\nAlabama Disability Determination Service\nComments\n\x0c                       Alabama Disability Determination Service\n                          Response to Request for Comments\n\n                                     OIG Audit\n                                  (A-08-07-17151)\n\n The Office of the Inspector General conducted an audit of the Administrative Costs\nclaimed by the Alabama Disability Service (DDS) for Fiscal Years 2005 and 2006. In the\nOIG audit report there were a number of areas regarding general security controls where\ncorrective action was recommended. There were no adverse findings or corrective actions\nrecommended regarding fiscal controls.\n\nFollowing are the findings where OIG recommended corrective action, along with the\nDDS response to those recommendations. Those findings and corrective actions are as\nfollows:\n\nFinding \xe2\x80\x93 The intrusion detection system (IDS) sensors were not reactivated timely and\nthe perimeter door was not always locked. Recommendation- Reactivate the IDS sensors\nat the end of the business day. Recommendation \xe2\x80\x93 Keep the perimeter door locked.\n\nResponse \xe2\x80\x93 The DDS will reactivate the sensors at the end of the business day, as\nrecommended in the report. Additionally, the perimeter door was put on its own sensor\nzone on February 7, 2008. The door in question leads to the employee smoking area.\nEmployees exit to this area at various times during the workday for breaks and during\nlunch. This smoking area is enclosed by an eight foot fence, viewable by DDS security\ncameras and is frequently occupied by DDS employees. For these reasons, the DDS\nconsiders the possibility of an unauthorized entry during working hours from this area to\nbe a very low risk item and will complete a risk assessment form regarding this issue.\n\nFinding \xe2\x80\x93 The Intrusion detection system was not adequately protected.\nRecommendation - Change the IDS code. Recommendation \xe2\x80\x93 Install a lock on the\nguard station. Recommendation \xe2\x80\x93 Keep the guard station locked when it is unattended.\n\nResponse- The IDS code was changed on February 7, 2008 as recommended. Although\nthe security guards had been instructed prior to the audit that codes should not be\ndisplayed, they have been reminded that this should not be done and to do so violates\nsecurity procedures. A lock was installed on the guard station, as recommended, on\nJanuary 24, 2008. The guard station will be locked when it is unattended.\n\nFinding \xe2\x80\x93 The intrusion detection system was not tested annually. Recommendation \xe2\x80\x93\nEnsure that the IDS is tested semiannually.\n\nResponse \xe2\x80\x93 The maintenance agreement with the IDS vendor was amended starting with\nFY 2008 to provide for semi-annual testing of the IDS. The IDS was tested the first time\nin FY 2008 on December 7, 2007.\n\n\n\n\n                                           E-1\n\x0c                        Alabama Disability Determination Service\n                           Response to Request for Comments\nFinding \xe2\x80\x93 Recycling bins were not adequately secured. Recommendation \xe2\x80\x93 Monitor the\nrecycling process to ensure claimant PII is inaccessible to unauthorized personnel.\n\nResponse \xe2\x80\x93 Starting with FY 2008, the DDS changed vendors for its recycling program.\nThe new recycle containers are lockable and containers with PII will no longer be put\noutside before the recycling contractor\xe2\x80\x99s arrival. Employees have been instructed to\ncheck bins after the contractor has completed its shredding to ensure no outside bins\ncontain PII. The DDS will continue to monitor the recycling process as recommended.\n\nFinding \xe2\x80\x93 Claimant records are not adequately secured. Recommendation \xe2\x80\x93 Require the\ncontracted service clean sensitive areas during business hours.\n\nResponse - The DDS has instructed its contract service to clean sensitive areas during\nbusiness hours. It should be noted that this issue should resolve itself over time. The DDS\nis already processing its initial and OHA workloads in an electronic format rather than\npaper. The DDS is supposed to convert to an electronic format for CDR cases during this\nfiscal year. Pipeline paper cases should be eliminated in a relatively short period of\ntime following this conversion. Electronic records are protected from unauthorized\naccess by SSA systems security.\n\nFinding \xe2\x80\x93 Mobile equipment rooms were not locked. Recommendation \xe2\x80\x93 Monitor\nequipment rooms in the Mobile, Alabama office to ensure they remain locked.\n\nResponse \xe2\x80\x93 The equipment rooms in the Mobile office will be monitored, as\nrecommended, to ensure that they remain locked.\n\nFinding \xe2\x80\x93 Annual security awareness training was not adequately documented.\nRecommendation \xe2\x80\x93 Obtain signed statements of understanding from employees\nregarding annual security awareness training.\n\nResponse - Although the DDS had documentation that the security awareness training\nwas conducted, it only obtained employee signatures on a new Form SSA 120 at the time\nof the security awareness training. The DDS has designed an additional form to be\nsigned by employees at their annual security awareness training that will be used for all\nannual security awareness training in the future. Signature of the new/additional forms\nwill start at the time of the next annual security awareness training.\n\n\n\n\n                                            E-2\n\x0c                       Alabama Disability Determination Service\n                          Response to Request for Comments\nFinding \xe2\x80\x93 The DDS Security Plan was not adequate. Recommendation \xe2\x80\x93 Revise the\nSecurity Plan to meet SSA\xe2\x80\x99s requirements.\n\nResponse \xe2\x80\x93 The DDS has already added the recommended items identified in the audit to\nits Security Plan. However, some reformatting of the Security Plan still needs to be done.\nThis should be completed no later than close of business on February 29, 2008. A copy of\nthe reformatted Security Plan will be provided to the RO as soon as the reformatting has\nbeen completed.\n\nOTHER MATTER\n\nFinding \xe2\x80\x93 The DDS utilizes the claimant\xe2\x80\x99s SSN on documents sent to medical providers.\nRecommendation \xe2\x80\x93 The AL-DDS should take steps to exclude the SSN from documents\nthat it sends to third parties.\n\nResponse \xe2\x80\x93 The DDS does not use a claimant\xe2\x80\x99s SSN on documents going to third parties\nsuch as neighbors or friends etc. for information regarding claimants. The SSN is only\nused in documents being sent to providers of medical information. Applicant travel forms\nare only sent to claimants, not third parties, and the SSN is required for payment\npurposes. A large segment of the medical community relies on an SSN to\nidentify/distinguish the claimant from other patients. Their computer software and\nbusiness practices are structured to use the SSN as an identifier. The use of the SSN is a\ncritical factor for obtaining information from medical vendors in order to collect the\nneeded evidence for case processing. As long as an Form SSA 827 (Authorization To\nDisclose Information To The Social Security Administration) containing the claimant\nSSN accompanies requests for medical information from treating sources and\nconsultative examination vendors, there is no value in removing the SSN from the request\nfor medical information. It should be noted that the SSN is also used as the identifier for\nMedicare, Medicaid and military Tri-Care programs.\n\n\n\n\n                                           E-3\n\x0c                                                                      Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, (205) 801-1650\n\n   Theresa Roberts, Audit Manager, (205) 801-1619\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Cliff McMillan, Senior Auditor\n\n   Janet Matlock, Senior Auditor\n\n   Charles Lober, Information Technology Specialist\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-08-07-17151.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'